Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google Reminding Admins HTTP Pages Will Be Marked ‘Not Secure’ in October

Google began sending out notices to site owners this month who haven’t yet migrated from HTTP to HTTPS warning them that in October their sites will be marked “NOT SECURE.”

Google began sending out notices to site owners this month, reminding those who haven’t yet migrated from HTTP to HTTPS that in October their sites will be marked “NOT SECURE.”

The warnings are directed to owners of HTTP pages that contain forms, specifically sites that include text input fields like <input type=”text”> or <input type=”email”>.

The messages reiterate the fact that with version 62 of the company’s Chrome browser, slated for stable release on or around October 24, Google will require websites with any kind of text input to have a SSL certificate. That is if site owners don’t want their visitors to see the “NOT SECURE” warning pop up in their browser’s omnibox.

The emails don’t come as a complete surprise; they follow up an announcement Emily Schechter, a member of Chrome’s Security Team, first made in April.

Site owners say they’ve received automated emails over the last few weeks via Google Search Console, a free service offered by Google designed to help website owners monitor and maintain their relationship with Google Search.

The notices confirm that users who navigate to HTTP pages in Incognito mode – a feature that can often trick users into thinking they’re safer than they are – will also display the warning.

The emails also come with tips for website owners on migrating to HTTPS, including a Google Support page on the move and the April post on its Chromium developer’s blog.

While the change will affect any site in which users can enter data, like sensitive banking credentials and passwords, web security experts warn that any form of text input, including contact forms, search bars, and login panels, could make HTTP sites more difficult to reach in October.

Tony Perez, co-founder and CEO at Sucuri, a firm that offers website security solutions, said Monday the changes make sense from Google’s standpoint. He added, if admins haven’t already they should ensure SSL is implemented on their site. Furthermore, admins should ensure they force HTTPS so users don’t accidentally stumble onto the non-encrypted version of their site and trigger the warning.

Google first began flashing “NOT SECURE” warnings to users back in January with Chrome 56. Eventually the company plans to brand all HTTP pages, not just ones with text input as non-secure with a red triangle—the same icon Google uses for pages that use broken HTTPS.

HTTPS traffic hit a big milestone back in February when a two-week survey of telemetry data from Mozilla’s Firefox browser showed 50 percent of page loads used the protocol but it’s still proving to be an uphill battle for service providers and website owners alike.

Let’s Encrypt, a certificate authority that’s been leading the charge for the web getting to 100 percent HTTPS usage, said earlier this summer it would begin offering wildcard certificates – certs that webmasters can use with multiple subdomains of a domain – in 2018. The CA said it hopes the planned change will give HTTPS page loads a boost.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.